Re: [Vserver] Template server files
On Sun, 2004-10-24 at 13:25, Tor Rune Skoglund wrote: > Hi List, > > when trying to make a good template server, one obviously has > to start and enter the virtual server and test the installation > of it, add some programs, make config changes in it and so on. > > But when using it as a template, some files must be removed > or altered before it is made "production ready". AFAICS at > least these have to be changed/deleted: > > * ssh keys > * shell history file > * root password setting > * any standard users password settings > > I am sure there are more, so if any of you experts out there > has additions to the list, please mail me or the list. > I'll make a summary on the wiki afterwards. For a gentoo based vserver, I use the following script(s) - I am assuming a cron daemon is installed within the template: Within the /vservers/TEMPLATE/etc/cron.daily I put: #update-template.cron #!/bin/bash sync emerge rsync sleep 10 emerge --buildpkg --update world /usr/sbin/fixpackages /usr/sbin/env-update /sbin/depscan.sh # Clean up root data rm -f /root/dead.letter rm -rf /root/.ssh/* echo > root/.bash_history echo > root/.bashrc echo > root/.bash_profile After this cronjob is finished - to be sure at 6am, from the Host crontab I run the following: #update_template.sh #!/bin/bash umask 0077 CURDATE=`date +%d%m%Y` if [ "x$1" = "x" ] ; then TEMPLATE="template-$CURDATE" TEMPLATE_DIR="TEMPLATE" else TEMPLATE="$1" TEMPLATE_DIR="$1" fi TEMPFILE="/tmp/exclude_$TEMPLATE_DIR" cat exclude_template | sed "s/TEMPLATE/$TEMPLATE_DIR/g" > $TEMPFILE tar -X $TEMPFILE -C /vservers -cpf /vservers/$TEMPLATE.tar $TEMPLATE_DIR bzip2 -9 /vservers/$TEMPLATE.tar rm -f $TEMPFILE exit 0 And the exclude tree looks like this #exclude_template TEMPLATE/root/* TEMPLATE/proc/* TEMPLATE/dev/pts/* *distcc* TEMPLATE/tmp/* TEMPLATE/usr/portage/* TEMPLATE/var/tmp/* TEMPLATE/var/lib/init.d/started/* TEMPLATE/etc/cron.daily/update-template.cron TEMPLATE/var/spool/cron/lastrun/* There are some additional things to change when deploying the template: * I change /etc/ssh/sshd_config where I set the Listen option to the IP of the vserver > Also, I do not know how well vserver-copy or other copy tools > handle such files, as the documentation seems to be a bit > sparse on the tools. Any enlightment on these matters will > be highly appreciated. I can't help you with that, I have no experience with these tools ;) > Best regards > Tor Rune Skoglund > [EMAIL PROTECTED] > > ___ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver -- Regards, Dennis Roos Network Engineer InTouch N.V. Middenweg 76 1097 BS Amsterdam Tel: +31 (0)20 6752060 Fax: +31 (0)20 6758429 ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Template server files
Here is what we do in OpenVPS. This is Fedora biased. I think the utils strategy is copy-everything-then-unify, whereas we stuck to hardlink-as-you-copy-then-leave-it-alone. Either strategy is fine, it probably more depends on what you're doing. In our case the vserver is intended to passed to a client/customer/etc, so it's best not to touch those files once they're released, which why we've been avoiding vuinify. We pretty much follow these steps: 1. Build a reference server like any other server (there is more than one way to do it, we just use rpm and then manually adjust little things, the vserver utils use the magic of apt to do it). 2. There is a "fixflags" script. It walks the tree and sets certain things immutable (iunlink to be exact). The strategy is similar to what vunify does - we rely on RPM package information, if a file is marked as "config" it is not flagged with iunlink. 3. To make a vserver you have a "clone" script. The clone script makes hard links to files that are iunlink, and copies most everything else. Some files are not copied, but just created (touched). The specific "clone rules" we use look like this (these rules make an assumption that the reference server is in a pristine state, otherwise you'd need a more elaborate set of rules): CLONE_RULES = { 'copy' : ['/etc', '/var', '/root', '^/dev'], 'touch' : ['/var/log', '/var/run', '\.bash_history'], 'skip' : ['ssh_host_', '.pem$', '/proc/', '/var/tmp/', '/var/cache/.*/.+'] } (this is in python, btw) This means /etc is always copied, everything in /var/log is always "touched", .pem files are skipped, etc. 4. If you update the reference server, just go ahead and do it, and remember to run the fixflags afterwards, or the clone step will not hardlink the new files because they're not iunlink. Haven't tried vserver-copy, it probably does something similar. Grisha On Sun, 24 Oct 2004, Tor Rune Skoglund wrote: Hi List, when trying to make a good template server, one obviously has to start and enter the virtual server and test the installation of it, add some programs, make config changes in it and so on. But when using it as a template, some files must be removed or altered before it is made "production ready". AFAICS at least these have to be changed/deleted: * ssh keys * shell history file * root password setting * any standard users password settings I am sure there are more, so if any of you experts out there has additions to the list, please mail me or the list. I'll make a summary on the wiki afterwards. Also, I do not know how well vserver-copy or other copy tools handle such files, as the documentation seems to be a bit sparse on the tools. Any enlightment on these matters will be highly appreciated. Best regards Tor Rune Skoglund [EMAIL PROTECTED] ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Template server files
Hi List, when trying to make a good template server, one obviously has to start and enter the virtual server and test the installation of it, add some programs, make config changes in it and so on. But when using it as a template, some files must be removed or altered before it is made "production ready". AFAICS at least these have to be changed/deleted: * ssh keys * shell history file * root password setting * any standard users password settings I am sure there are more, so if any of you experts out there has additions to the list, please mail me or the list. I'll make a summary on the wiki afterwards. Also, I do not know how well vserver-copy or other copy tools handle such files, as the documentation seems to be a bit sparse on the tools. Any enlightment on these matters will be highly appreciated. Best regards Tor Rune Skoglund [EMAIL PROTECTED] ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver